In a recent campaign, cyber criminals are looking for potential accomplices who are willing to smuggle ransomware into their company for part of the ransom. The trail leads to the infamous “Nigerian Prince” in Africa.
There are probably only a few people who have never found a message in their spam folder from a Nigerian prince who urgently needs to get a huge sum of money to safety and needs help. Alternatively, it can also be a tribal prince or an entrepreneur. This scam has been around for decades and should only elicit a weary smile from most of those who have been contacted.
From the spam scam to ransomware
That could also be the reason why the senders are now looking for a new field of activity. According to a recent report by the security researchers at Abnormal Security, they appear to have found this with ransomware. In and of itself, this is not surprising, after all, ransomware lures with big profits and can be rented for little money on the Darknet. In this case, however, the criminals' approach is rather unusual and is unlikely to have been conceived by a criminal mastermind, to put it cautiously.
Employees are supposed to smuggle in ransomware
Instead of getting employees with sophisticated social engineering to open a file, which in turn installs the ransomware, the attackers write to potential victims via LinkedIn or other publicly available contact options and politely ask if they are interested in receiving the ransomware DemonWare to install on your employer's systems. In return, a percentage of the ransom is promised. In the case described by Abnormal Security, the criminals offered $ 40 million, 2,5 percent of the targeted $ XNUMX million. If you are interested, you should contact us by email or telegram.
Complicity reward
That's exactly what the security researchers did and quickly found that you weren't necessarily dealing with ransomware professionals. The expected ransom was quickly reduced to $ 120.000, and with it the amount that the potential accomplice would receive. It was also alleged that the accomplice had no risk of being caught because the ransomware would encrypt all traces, including surveillance cameras. The security researchers continued to play along and finally received a working version of the ransomware DemonWare, allegedly an in-house development of the attackers. This claim is obviously wrong, because DemonWare is easily available for download on the GitHub portal.
Security researchers join in camouflaged and get ransomware
Now, of course, the security researchers wanted to find out who was behind this somewhat amateurish scam and traced back the contact details provided. This eventually led to a trading website that trades the Nigerian currency, the naira, as well as a Russian social media platform. With this information, the security researchers asked the attacker whether he came from Nigeria, which the attacker frankly admitted. According to Abnormal Security, this also explains how cybercriminals operate. They would now transfer the basic tactics that they have been using in their spam campaigns for years to the field of ransomware in order to participate in the boom in this malware, even if the chances of success of this campaign are arguably rather modest.
Even amateurs continue to increase the risk
Nevertheless, this approach should also give companies something to think about, because it happens again and again that ransomware gangs seek help from insiders. Another example is the spread of LockBit ransomware, which is always looking for accomplices to gain access to corporate networks. Protection against such insider attacks, but also against completely "normal" ransomware attacks, is offered, for example, by restricted user profiles without admin rights for all employees. Regular security updates, up-to-date anti-virus software and a proven back-up concept should be a matter of course anyway.
More at 8com.de
About 8com The 8com Cyber Defense Center effectively protects the digital infrastructures of 8coms customers from cyber attacks. It includes security information and event management (SIEM), vulnerability management and professional penetration tests. It also offers the setup and integration of an Information Security Management System (ISMS) including certification according to current standards. Awareness measures, security training and incident response management round off the offer.